much access, while at the same
time making sure you are not
providing them too little access
for them to do their jobs."
Figure 2: What types of AIX-related
security threats most currently
concern you? Rank the threats from
most concerning to least concerning.
Security Management
Of the 57.7 percent of respondents
that said they haven't deployed a
security and event-management
solution, 15.6 percent are using
IBM PowerSC*. Notably, the
PowerSC solution was recently
given a GUI makeover to improve
usability. And 26.8 percent use
other solutions, including IBM
QRadar*, IBM Security Guardium*
and IBM Tivoli* Access Manager,
as well as a number of third-party
and in-house tools (see Figure 3,
below).
In a similar vein, when asked
if their organizations were using
security information and event
management (SIEM), 59.3 percent
of respondents said no. Those
not using SIEM reported using a
wide range of solutions, including
QRadar, AlienVault and ArcSight.
Dominguez says SIEM is
important. "They need to be using
an SIEM product of some type.
It's kind of like going to war with
just a grenade," Dominguez says.
"There is certain fundamental
security tooling that you have to
use. If you're not using it, you're
creating a significant hole in the
security of your environment."
That said, 78.4 percent
of respondents have
information-security policies in
place; the remainder don't (10.4
percent) or are unsure if they do
(11.1 percent).
Societe Generale Albania does,
as Vrenozaj explains, "We have
password policies, workstation
and server hardening, user
awareness, and we also use
monitoring and auditing in case
of issues. We also rely on group
recommendations, as in the
case of our recommended
yearly audits."
Item
Overall
Rank
Authorized system user access
or credential abuse
1
External hackers
2
Unauthorized users
3
Phishing
4
Software hooks (trapdoors)
5
Unprotected downloads
6
Malware
7
Other
8
None
9
Security Audits
A majority of survey respondents reported
conducting regular audits every three months (20.3
percent), every six months (15.6 percent) or annually
(26.2 percent).
SNS Bank conducts audits annually, but is also
very rigorous between those events. "For all our
UNIX servers-AIX and Linux*-we report on
monthly basis the security risks and apply fixes every
month," Sonnemans says.
Dominguez remarks, however, that audit quality
is equally as important as frequency. He cites the
example of a 2009 data breach, and the response of
the CEO to PCI compliance assessors.
Figure 3: What security management
solutions does your organization deploy?
"'ÃÂÅÆÇ0 È&
15.6%
IBM PowerSC
'"Ã"ÅÆÇÇ& 9Ç& ÉÇ
57.7%
We don't deploy
.Ç#$%ÉÇ!
an $%
external
security
management solution
26.8%
Other
ÁÂÃ5ÅÆÇ'4Ç
$% @
solution
"He was very upset not just
at the PCI auditor, but also
the PCI Standards Council. In
effect, saying 'Listen, you need
to change your requirements.'
He was specifically referring
to the requirement to include
end-to-end encryption in their PCI
audits," Dominguez recalls. "He
was essentially saying the quality
of the PCI assessment process
needed to be better, because
what PCI had required wasn't
sufficient to prevent a breach. So
the quality and depth of the audit
is imperative."
These audits examine a wide
array of security-related topics,
including policy and governance
(65.1 percent of all respondents),
end-user security compliance
(52 percent), hardware security
(58 percent), software security
(73.3 percent), network security
(70.7 percent), physical security
(55.7 percent), authorization
(62.2 percent) and access control
(60.8 percent).
Societe Generale Albania's
security audits look at, among
other issues, security policies,
software and network security,
authorization, user-access control
and logins. SNS's audits cover
access control (authentication
and authorization) UNIX settings,
standard access rights for users
and groups, TE/RBAC security
settings, remote access, file
transfers, intrusion detection,
password policies and SSL/SSH
settings, in addition to other
issues.
"If you're not being systematic,
there's a danger that, although
you may have a lot of great
security defenses, hackers will
simply go around them to find
the weak link to breach your
environment. You probably can't
account for everything, and that's
one of the challenges of security.
But the more thorough you are,
the better," Dominguez adds.
ibmsystemsmag.com JULY 2017 // 23

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page.
If you would like to try to load the digital publication without using Flash Player detection, please click here.